From: todd@lgt.com (Todd Glassey)

I an immediate need of info on the liabilities of BSD type systems, and in particular the BorderWare products.

I heard that in the BorderWare product itself, there are several recently discovered potential "holes"...

I have a particular interest in both the Attack MO against the BSD platforms in general and the Border products in particular...

Please do not send the reply to the lists but to me personally (todd@lgt.com). I will summarize if I get enough info to be worth the effort.

Any comments?

Let me make a very clear statement. No site protected by BorderWare has ever had its Firewall penetrated. Never. This is the second time I've heard rumors about insecurities in the BorderWare software with nothing being brought out to substantiate them. I guess this is just an unfortunate part of doing business - especially in the security domain. I get a bit annoyed by this kind of thing since, regardless of whether we refute such comments, after the discussion itself is forgotten people will often remember that they heard something about a problem with product X. This isn't a criticism of you Todd - you are just reporting that you've heard rumors and asking about them, which is a perfectly reasonable thing to do. Obviously the rumors you heard haven't come along with any facts since you're asking here for the "Attack MO". I would very much like to here about any problem that is real, since if there were any weaknesses we would want to fix them and disseminate the fix as fast as possible. Border takes any potential problem very seriously. A couple of months ago there was a potential weakness that was discovered in the process of Border's ongoing efforts to ensure the security of the product. It was only a security risk with a very specific configuration. No customer has ever reported seeing this. Within two days of this discovery we had a fix and the fix was being actively pushed through the distribution channels to the customer base. It was given high priority and we had our support people calling down to the reseller channels to ensure that they were aware and that they got it out to their clients. We intended to make sure that this potential problem was immediately removed from the firewall even though no one had actually reported a problem. The fix was given free of charge to anyone whether they had a support contract or not. Some customers were even upgraded to a newer version of BorderWare so they could receive the fix. We strongly believe that our customers are entitled to the best available protection. They bought a Firewall for security and they should expect it to be secure. Border will do everything that we can to ensure this is always the case. So, anyone out there if you believe you have some real attack mechanism we want to know. Now that you've sat through the general ranting part of my comments, let me try to answer the BSD specific part. As far as BSD based OS's in general I don't think there is reason to believe that they are any more or less secure than System V based Unix's (or other non-Unix based operating systems for that matter). They all have pro's and con's and they have all had problems and I don't think that one variant has had more problems historically than the other. That said, Border doesn't use a stock BSD based OS anyway. We have put a large amount of effort into "hardening" the kernel so that it is a solid base upon which to build a secure firewall. We don't believe that any stock OS which was designed for a dynamic environment with users on it will really be secure. There are far too many instances (with just about any OS, Unix or otherwise) where someone has gained privilege or increased access to a system by taking advantage of some feature once they managed to get on the box. A firewall should be a static, non-user environment which means that many features are just not required and can be removed or their behavior significantly changed and limited. We spent a considerable amount of manpower stripping down the kernel and leaving only what was really needed. We removed the mechanisms which can be used to gain privilege or increase the levels of access to the system. The BorderWare kernel is in fact one of its strongest assets, and not a potential weakness. Glenn Mackintosh V.P. Technology ------------------------------------------------------------------------ Border Network Technologies Inc. Email: glenn@border.com 20 Toronto Street, Suite 400, Tel: +1 416 368 7157 Toronto, Ontario, Canada, M5C 2B8 Fax: +1 416 368 7789